Liferay, Insecure Direct Object Reference (IDOR), CVE-2025-XXXXX (Moderate)

This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability within the Liferay Account Admin Web portlet. The flaw exists in the handling of the `_com_liferay_account_admin_web_internal_portlet_AccountEntriesAdminPortlet_addressId` parameter. In a vulnerable Liferay instance, an authenticated user can manipulate this user-controlled key, which is the `addressId` parameter. The application fails to properly verify that the requested address object belongs to the current user’s account context. Instead of checking authorization, the system directly uses the provided ID to retrieve and display the corresponding address information. This flawed logic allows a malicious authenticated user to change the `addressId` value to one associated with a different user’s account. By doing so, they can bypass intended authorization controls and view sensitive address details from accounts other than their own, constituting a direct object reference breach.
Platform: Liferay Portal/DXP
Version: 7.4.3.4-7.4.3.111, 2023.Q4.0-2023.Q4.5, 2023.Q3.1-2023.Q3.8, 7.4 GA-update 92

Vulnerability : IDOR

Severity: Moderate

date: 2024-10-13

Prediction: 2024-10-27

What Undercode Say:

curl -u 'user:pass' 'https://liferay-instance.com/group/control_panel/manage?p_p_id=AccountEntriesAdminPortlet&_com_liferay_account_admin_web_internal_portlet_AccountEntriesAdminPortlet_addressId=ATTACKER_PROVIDED_ID'

// Flawed code snippet (conceptual)
long addressId = ParamUtil.getLong(request, "addressId");
Address address = AddressLocalServiceUtil.getAddress(addressId);
// Missing check: if (userHasPermissionForAddress(user, address))
renderRequest.setAttribute("address", address);

How Exploit:

Attacker authenticates normally. Attacker then browses to the Account Admin panel. Attacker intercepts the request or modifies the URL, changing the `addressId` parameter to a value belonging to another account. The server returns the address details for the unauthorized account ID, successfully bypassing authorization.

Protection from this CVE

Apply official patch. Implement proper authorization checks. Use indirect reference maps. Deny access by default.

Liferay, Insecure Direct Object Reference (IDOR), CVE-2025-XXXXX (Moderate)

Vulnerability : IDOR

date: 2024-10-13

Prediction: 2024-10-27

What Undercode Say:

How Exploit:

Protection from this CVE

Impact:

Unauthorized data access. Information disclosure. Privacy violation.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

📢 Follow DailyCVE & Stay Tuned:

Listen to this Post

Vulnerability : IDOR

date: 2024-10-13

Prediction: 2024-10-27

What Undercode Say:

How Exploit:

Protection from this CVE

Impact:

Unauthorized data access. Information disclosure. Privacy violation.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

📢 Follow DailyCVE & Stay Tuned:

Share this: